Commit Graph

1028 Commits

Author SHA1 Message Date
Bruce Momjian
73e2431817 Major pgcrypto changes:
of password-based encryption from RFC2440 (OpenPGP).

The goal of this code is to be more featureful encryption solution
than current encrypt(), which only functionality is running cipher
over data.

Compared to encrypt(), pgp_encrypt() does following:

* It uses the equvialent of random Inital Vector to get cipher
  into random state before it processes user data
* Stores SHA-1 of the data into result so any modification
  will be detected.
* Remembers if data was text or binary - thus it can decrypt
  to/from text data.  This was a major nuisance for encrypt().
* Stores info about used algorithms with result, so user needs
  not remember them - more user friendly!
* Uses String2Key algorithms (similar to crypt()) with random salt
  to generate full-length binary key to be used for encrypting.
* Uses standard format for data - you can feed it to GnuPG, if needed.

Optional features (off by default):

* Can use separate session key - user data will be encrypted
  with totally random key, which will be encrypted with S2K
  generated key and attached to result.
* Data compression with zlib.
* Can convert between CRLF<->LF line-endings - to get fully
  RFC2440-compliant behaviour.  This is off by default as
  pgcrypto does not know the line-endings of user data.

Interface is simple:


    pgp_encrypt(data text, key text) returns bytea
    pgp_decrypt(data text, key text) returns text
    pgp_encrypt_bytea(data bytea, key text) returns bytea
    pgp_decrypt_bytea(data bytea, key text) returns bytea

To change parameters (cipher, compression, mdc):

    pgp_encrypt(data text, key text, parms text) returns bytea
    pgp_decrypt(data text, key text, parms text) returns text
    pgp_encrypt_bytea(data bytea, key text, parms text) returns bytea
    pgp_decrypt_bytea(data bytea, key text, parms text) returns bytea

Parameter names I lifted from gpg:

   pgp_encrypt('message', 'key', 'compress-algo=1,cipher-algo=aes256')

For text data, pgp_encrypt simply encrypts the PostgreSQL internal data.

This maps to RFC2440 data type 't' - 'extenally specified encoding'.
But this may cause problems if data is dumped and reloaded into database
which as different internal encoding.  My next goal is to implement data
type 'u' - which means data is in UTF-8 encoding by converting internal
encoding to UTF-8 and back.  And there wont be any compatibility
problems with current code, I think its ok to submit this without UTF-8
encoding by converting internal encoding to UTF-8 and back.  And there
wont be any compatibility problems with current code, I think its ok to
submit this without UTF-8 support.


Here is v4 of PGP encrypt.  This depends on previously sent
Fortuna-patch, as it uses the px_add_entropy function.

- New function: pgp_key_id() for finding key id's.
- Add SHA1 of user data and key into RNG pools.  We need to get
  randomness from somewhere, and it is in user best interests
  to contribute.
- Regenerate pgp-armor test for SQL_ASCII database.
- Cleanup the key handling so that the pubkey support is less
  hackish.

Marko Kreen
2005-07-10 03:57:55 +00:00
Bruce Momjian
4fcf8b11ff - Add Fortuna PRNG to pgcrypto.
- Move openssl random provider to openssl.c and builtin provider
  to internal.c
- Make px_random_bytes use Fortuna, instead of giving error.
- Retarget random.c to aquiring system randomness, for initial seeding
  of Fortuna.  There is ATM 2 functions for Windows,
  reader from /dev/urandom and the regular time()/getpid() silliness.

Marko Kreen
2005-07-10 03:55:28 +00:00
Bruce Momjian
248eeb82f0 This patch adds implementation of SHA2 to pgcrypto.
New hashes: SHA256, SHA384, SHA512.

Marko Kreen
2005-07-10 03:52:56 +00:00
Tom Lane
be3aa30da3 Fix inadequate error checking: you can't assume that fcinfo->resultinfo
is a ReturnSetInfo unless you've tested it with IsA.
2005-07-09 01:53:22 +00:00
Neil Conway
86897f54a8 This patch updates the DDL for contrib/pgcrypto to create all
functions as STRICT, and all functions except gen_salt() as IMMUTABLE.
gen_salt() is VOLATILE.

Although the functions are now STRICT, I left their PG_ARGISNULL()
checks in place as a protective measure for users who install the
new code but use old (non-STRICT) catalog entries (e.g., restored
from a dump).  Per recent discussion in pgsql-hackers.

Patch from Michael Fuhr.
2005-07-08 04:27:49 +00:00
Tom Lane
3d6b0d8631 Fix incorrect PG_CPPFLAGS initialization, per Marko. 2005-07-06 16:14:42 +00:00
Tom Lane
84d630eb24 Dept of second thoughts: don't expose rijndael.tbl: rijndael.c dependency
to make.  We ship the table file in the tarball and so this dependency
just opens file timestamp skew problems without doing anything useful.
(Not that it should hurt, either ... except for cross-compile builds.)
2005-07-05 23:18:44 +00:00
Tom Lane
c19aa704c8 Fix contrib/pgcrypto to autoconfigure for OpenSSL when --with-openssl
is used in the toplevel configure.  Per Marko Kreen.
2005-07-05 23:13:57 +00:00
Tom Lane
576ac4b8c9 Fix initialization bug in pgcrypto openssl code. Marko Kreen 2005-07-05 18:15:36 +00:00
Tom Lane
eb5949d190 Arrange for the postmaster (and standalone backends, initdb, etc) to
chdir into PGDATA and subsequently use relative paths instead of absolute
paths to access all files under PGDATA.  This seems to give a small
performance improvement, and it should make the system more robust
against naive DBAs doing things like moving a database directory that
has a live postmaster in it.  Per recent discussion.
2005-07-04 04:51:52 +00:00
Bruce Momjian
a3ff1aad5d Bruce, please apply this additional patch, that fixes the
auto-detection of AES.

Now openssl.c just checks OpenSSL version.  Whoever compiles
newer OpenSSL without AES is on his own.

Marko Kreen
2005-07-04 02:02:01 +00:00
Bruce Momjian
76eca0ec98 This patch allows contrib/pgcrypto to build with OpenSSL 0.9.8
(currently in beta) when cryptolib = openssl.  According to the
following checkin message from several years ago, OpenSSL application
developers should no longer rely on <openssl/evp.h> to include
everything they need:

http://cvs.openssl.org/chngview?cn=9888

This patch adds the necessary header files.  It doesn't appear to
break anything when building against OpenSSL 0.9.7.

BTW, core appears to build and work fine with OpenSSL 0.9.8.  I've
built 7.3 through HEAD against 0.9.8-beta6 without noticing any
problems.

Michael Fuhr
2005-07-03 02:32:56 +00:00
Tom Lane
e6a8eba3f2 Remove contrib version of rtree_gist --- now in core system. 2005-07-01 19:23:07 +00:00
Teodor Sigaev
ef770cbb69 Fixes from Janko Richter <jankorichter@yahoo.de>
- Fix wrong index results on text, char, varchar for multibyte strings
- Fix some SIGFPE signals
- Add support for infinite timestamps
- Because of locale settings, btree_gist can not be a prefix index anymore (for text).
  Each node holds now just the lower and upper boundary.
2005-07-01 13:44:56 +00:00
Tom Lane
b5f7cff84f Clean up the rather historically encumbered interface to now() and
current time: provide a GetCurrentTimestamp() function that returns
current time in the form of a TimestampTz, instead of separate time_t
and microseconds fields.  This is what all the callers really want
anyway, and it eliminates low-level dependencies on AbsoluteTime,
which is a deprecated datatype that will have to disappear eventually.
2005-06-29 22:51:57 +00:00
Tom Lane
dcf2e1c8c7 Remove the << >> &< and &> operators for contrib/cube, which were
wrong, but nobody noticed because they were also useless.
2005-06-27 01:19:43 +00:00
Tom Lane
54c80a3434 Adjust contrib/seg &< and &> operators so that r-tree indexing logic
works properly for 1-D comparisons.  Fix some other errors such as
bogus commutator specifications.
2005-06-27 00:48:07 +00:00
Bruce Momjian
bb3cce4ec9 Add E'' syntax so eventually normal strings can treat backslashes
literally.

Add GUC variables:

        "escape_string_warning" - warn about backslashes in non-E strings
        "escape_string_syntax" - supports E'' syntax?
        "standard_compliant_strings" - treats backslashes literally in ''

Update code to use E'' when escapes are used.
2005-06-26 03:04:37 +00:00
Tom Lane
b90f8f20f0 Extend r-tree operator classes to handle Y-direction tests equivalent
to the existing X-direction tests.  An rtree class now includes 4 actual
2-D tests, 4 1-D X-direction tests, and 4 1-D Y-direction tests.
This involved adding four new Y-direction test operators for each of
box and polygon; I followed the PostGIS project's lead as to the names
of these operators.
NON BACKWARDS COMPATIBLE CHANGE: the poly_overleft (&<) and poly_overright
(&>) operators now have semantics comparable to box_overleft and box_overright.
This is necessary to make r-tree indexes work correctly on polygons.
Also, I changed circle_left and circle_right to agree with box_left and
box_right --- formerly they allowed the boundaries to touch.  This isn't
actually essential given the lack of any r-tree opclass for circles, but
it seems best to sync all the definitions while we are at it.
2005-06-24 20:53:34 +00:00
Tom Lane
9a09248edd Fix rtree and contrib/rtree_gist search behavior for the 1-D box and
polygon operators (<<, &<, >>, &>).  Per ideas originally put forward
by andrew@supernews and later rediscovered by moi.  This patch just
fixes the existing opclasses, and does not add any new behavior as I
proposed earlier; that can be sorted out later.  In principle this
could be back-patched, since it changes only search behavior and not
system catalog entries nor rtree index contents.  I'm not currently
planning to do that, though, since I think it could use more testing.
2005-06-24 00:18:52 +00:00
Tom Lane
2f5c47e882 Move findoidjoins out of contrib and into src/tools, which is a more
logical place for it since it is of no use to users.  Per recent
discussions on cleaning up contrib.
2005-06-23 02:33:28 +00:00
Tom Lane
5b0c9d3603 Cleanup the contrib/lo module: there is no need anymore to implement
a physically separate type.  Defining 'lo' as a domain over OID works
just fine and is more efficient.  Improve documentation and fix up the
test script.  (Would like to turn test script into a proper regression
test, but right now its output is not constant because of numeric OIDs;
plus it makes Unix-specific assumptions about files it can import.)
2005-06-23 00:06:37 +00:00
Tom Lane
d20763dbee Remove contrib modules that have been agreed to be obsolete.
(There are more that will be removed once they've been copied to
pgfoundry.org.)
2005-06-22 22:56:29 +00:00
Tom Lane
6f7fc0bade Cause initdb to create a third standard database "postgres", which
unlike template0 and template1 does not have any special status in
terms of backend functionality.  However, all external utilities such
as createuser and createdb now connect to "postgres" instead of
template1, and the documentation is changed to encourage people to use
"postgres" instead of template1 as a play area.  This should fix some
longstanding gotchas involving unexpected propagation of database
objects by createdb (when you used template1 without understanding
the implications), as well as ameliorating the problem that CREATE
DATABASE is unhappy if anyone else is connected to template1.
Patch by Dave Page, minor editing by Tom Lane.  All per recent
pghackers discussions.
2005-06-21 04:02:34 +00:00
Tom Lane
368739dca8 Fix bogus assumption that sizeof() produces an int-sized result. 2005-06-20 00:32:22 +00:00
Tom Lane
3f749924f8 Simplify uses of readdir() by creating a function ReadDir() that
includes error checking and an appropriate ereport(ERROR) message.
This gets rid of rather tedious and error-prone manipulation of errno,
as well as a Windows-specific bug workaround, at more than a dozen
call sites.  After an idea in a recent patch by Heikki Linnakangas.
2005-06-19 21:34:03 +00:00
Bruce Momjian
1f01d59e06 Fix display of database name during autovacuum.
Cosimo Streppone
2005-06-15 13:55:23 +00:00
Tom Lane
8563ccae2c Simplify shared-memory lock data structures as per recent discussion:
it is sufficient to track whether a backend holds a lock or not, and
store information about transaction vs. session locks only in the
inside-the-backend LocalLockTable.  Since there can now be but one
PROCLOCK per lock per backend, LockCountMyLocks() is no longer needed,
thus eliminating some O(N^2) behavior when a backend holds many locks.
Also simplify the LockAcquire/LockRelease API by passing just a
'sessionLock' boolean instead of a transaction ID.  The previous API
was designed with the idea that per-transaction lock holding would be
important for subtransactions, but now that we have subtransactions we
know that this is unwanted.  While at it, add an 'isTempObject' parameter
to LockAcquire to indicate whether the lock is being taken on a temp
table.  This is not used just yet, but will be needed shortly for
two-phase commit.
2005-06-14 22:15:33 +00:00
Teodor Sigaev
7148de1fa8 Prevent to divide by zero and range out of 0..1 2005-06-01 11:45:03 +00:00
Tom Lane
12a323b7a8 Change relblocknumber field of pg_buffercache view from numeric to int8
for efficiency's sake.  Mark Kirkwood.
2005-05-31 00:07:47 +00:00
Tom Lane
978129f28e Document get_call_result_type() and friends; mark TypeGetTupleDesc()
and RelationNameGetTupleDesc() as deprecated; remove uses of the
latter in the contrib library.  Along the way, clean up crosstab()
code and documentation a little.
2005-05-30 23:09:07 +00:00
Tom Lane
140b078d2a Improve LockAcquire API per my recent proposal. All error conditions
are now reported via elog, eliminating the need to test the result code
at most call sites.  Make it possible for the caller to distinguish a
freshly acquired lock from one already held in the current transaction.
Use that capability to avoid redundant AcceptInvalidationMessages() calls
in LockRelation().
2005-05-29 22:45:02 +00:00
Tom Lane
e92a88272e Modify hash_search() API to prevent future occurrences of the error
spotted by Qingqing Zhou.  The HASH_ENTER action now automatically
fails with elog(ERROR) on out-of-memory --- which incidentally lets
us eliminate duplicate error checks in quite a bunch of places.  If
you really need the old return-NULL-on-out-of-memory behavior, you
can ask for HASH_ENTER_NULL.  But there is now an Assert in that path
checking that you aren't hoping to get that behavior in a palloc-based
hash table.
Along the way, remove the old HASH_FIND_SAVE/HASH_REMOVE_SAVED actions,
which were not being used anywhere anymore, and were surely too ugly
and unsafe to want to see revived again.
2005-05-29 04:23:07 +00:00
Tom Lane
b4176e9f4c Clean up bogus checking of date and numeric fields in DBF files,
per report from Boris van Schooten.
2005-05-27 15:44:04 +00:00
Neil Conway
a4374f9070 Remove second argument from textToQualifiedNameList(), as it is no longer
used. From Jaime Casanova.
2005-05-27 00:57:49 +00:00
Bruce Momjian
b492c3accc Add parentheses to macros when args are used in computations. Without
them, the executation behavior could be unexpected.
2005-05-25 21:40:43 +00:00
Neil Conway
a99b2852ca Correct a thinko in pgbench that might result in incorrectly ignoring an
error condition when executing some DDL. Per report from ITAGAKI Takahiro.
2005-05-24 00:26:40 +00:00
Neil Conway
36ab600511 Cleanup of GiST extensions in contrib/: now that we always invoke GiST
methods in a short-lived memory context, there is no need for GiST methods
to do their own manual (and error-prone) memory management.
2005-05-21 12:08:06 +00:00
Tom Lane
191b13aaca Factor out lock cleanup code that is needed in several places in lock.c.
Also, remove the rather useless return value of LockReleaseAll.  Change
response to detection of corruption in the shared lock tables to PANIC,
since that is the only way of cleaning up fully.
Originally an idea of Heikki Linnakangas, variously hacked on by
Alvaro Herrera and Tom Lane.
2005-05-19 23:30:18 +00:00
Tom Lane
a9c4c9cd52 Extend the pg_locks system view so that it can fully display all lock
types, as per recent discussion.
2005-05-17 21:46:11 +00:00
Tom Lane
4e7d6f5349 Add a --dbname option to the pg_regress script, and use pl_regression
for testing PLs and contrib_regression for testing contrib, instead of
overwriting the core system's regression database as formerly done.
Andrew Dunstan
2005-05-17 18:26:23 +00:00
Neil Conway
c891e05f26 Cleanup GiST header files. Since GiST extensions are often written as
external projects, we should be careful about what parts of the GiST
API are considered implementation details, and which are part of the
public API. Therefore, I've moved internal-only declarations into
gist_private.h -- future backward-incompatible changes to gist.h should
be made with care, to avoid needlessly breaking external GiST extensions.

Also did some related header cleanup: remove some unnecessary #includes
from gist.h, and remove some unused definitions: isAttByVal(), _gistdump(),
and GISTNStrategies.
2005-05-17 03:34:18 +00:00
Neil Conway
c6c6fa8f7e Fix typo in comment. 2005-05-16 06:45:57 +00:00
Neil Conway
8d6e9bca37 This patch makes some minor style cleanups to contrib/btree_gist: remove
the "extern" keyword from function definitions, reorganize some
PG_GETARG_XXX() usage, and similar.
2005-05-12 00:39:37 +00:00
Bruce Momjian
cc99c57e1e a small tweak to enable display in the log file
of database name before table name
when VACUUMing or ANALYZing a table.

Cosimo Streppone
2005-05-11 18:07:14 +00:00
Bruce Momjian
be1cc6955c Fix pg_autovacuum -s flag to handle values > 2000 by using sleep()
instead of pg_usleep.

Backpatch to 8.0.X.
2005-05-11 17:57:56 +00:00
Bruce Momjian
8ca26e7799 Tag 1000000L as long for compuation. 2005-05-11 14:53:43 +00:00
Tom Lane
278bd0cc22 For some reason access/tupmacs.h has been #including utils/memutils.h,
which is neither needed by nor related to that header.  Remove the bogus
inclusion and instead include the header in those C files that actually
need it.  Also fix unnecessary inclusions and bad inclusion order in
tsearch2 files.
2005-05-06 17:24:55 +00:00
Tom Lane
177af51c04 Change tsearch2 to not use the unsafe practice of creating functions
that return INTERNAL without also having INTERNAL arguments.  Since the
functions in question aren't meant to be called by hand anyway, I just
redeclared them to take 'internal' instead of 'text'.  Also add code
to ProcedureCreate() to enforce the restriction, as I should have done
to start with :-(
2005-05-03 16:51:00 +00:00
Neil Conway
39e54e3208 Fix typos in documentation. 2005-05-03 03:10:01 +00:00